New research links WannaCry hackers to China

As the WannaCry crisis abates, government agencies and security researchers from around the world continue their search for those behind the ransomware. Two weeks ago, the finger pointed at North Korean-run hackers the Lazarus group. Now, there’s evidence to suggest the perpetrators are linked to China.

That’s the view of web intelligence firm Flashpoint. It carried out a linguistic and cultural review of the WannaCry ransom notes, which, as the malware infected computers in more than 100 countries, were written in 28 different languages.

Analyzing each note for content, accuracy, and style, the company concluded that virtually every note had been translated using Google Translate. The only exceptions were those written in English, traditional Chinese, and simplified Chinese, which appeared to have been composed by a human.

While the English version of the ransom is almost perfect, it contains what Flashpoint calls “a glaring grammatical error” that suggests the author “is non-native or perhaps poorly educated.” There are a few small errors in the English note, but the most glaring is, “But you have not so enough time.”

The grammar, punctuation, syntax, and character choice in the Chinese notes suggest they were written by a native speaker. More tellingly, the content, length, and tone differs from the other notes. It uses a term for week (li bai) that is more common in south China, Hong Kong, Taiwan, and Singapore, Flashpoint says. But Dr Zhang Kefeng, a professor of Chinese language at Jimei University in Xiamen, told the South China Morning Post that the word is also common in northern China.

"It is difficult to spot geographical differences in written Chinese nowadays, especially among educated people," he said.

With Google struggling to translate English to Chinese and Chinese to English, it seems the English version was used to translate the note into other languages, while the Chinese notes were written by a person fluent in the language.

Flashpoint points out that its findings are not enough to determine the nationality of the author(s). But the fact the Lazarus group is said to operate out of China makes this discovery all the more interesting.